From 44b6a5e549ddd66adf650d6ab30044539952fd46 Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@openwrt.org>
Date: Tue, 5 Jan 2016 10:42:52 +0000
Subject: samba36: add three CVE patches from 2015-12-16
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is a patch for CVE-2015-5252, CVE-2015-5296 and CVE-2015-5299. A
patchset for these vulnerabilities was published on 16th December 2015.

Signed-off-by: Jan Čermák <jan.cermak@nic.cz>

SVN-Revision: 48133
---
 .../samba36/patches/011-patch-cve-2015-5296.patch  | 112 +++++++++++++++++++++
 1 file changed, 112 insertions(+)
 create mode 100644 package/network/services/samba36/patches/011-patch-cve-2015-5296.patch

(limited to 'package/network/services/samba36/patches/011-patch-cve-2015-5296.patch')

diff --git a/package/network/services/samba36/patches/011-patch-cve-2015-5296.patch b/package/network/services/samba36/patches/011-patch-cve-2015-5296.patch
new file mode 100644
index 0000000..eaafd1c
--- /dev/null
+++ b/package/network/services/samba36/patches/011-patch-cve-2015-5296.patch
@@ -0,0 +1,112 @@
+From 25139116756cc285a3a5534834cc276ef1b7baaa Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 30 Sep 2015 21:17:02 +0200
+Subject: [PATCH 1/2] CVE-2015-5296: s3:libsmb: force signing when requiring
+ encryption in do_connect()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+---
+ source3/libsmb/clidfs.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
+index 23e1471..f153b6b 100644
+--- a/source3/libsmb/clidfs.c
++++ b/source3/libsmb/clidfs.c
+@@ -98,6 +98,11 @@ static struct cli_state *do_connect(TALLOC_CTX *ctx,
+ 	const char *username;
+ 	const char *password;
+ 	NTSTATUS status;
++	int signing_state = get_cmdline_auth_info_signing_state(auth_info);
++
++	if (force_encrypt) {
++		signing_state = Required;
++	}
+ 
+ 	/* make a copy so we don't modify the global string 'service' */
+ 	servicename = talloc_strdup(ctx,share);
+@@ -132,7 +137,7 @@ static struct cli_state *do_connect(TALLOC_CTX *ctx,
+ 	zero_sockaddr(&ss);
+ 
+ 	/* have to open a new connection */
+-	c = cli_initialise_ex(get_cmdline_auth_info_signing_state(auth_info));
++	c = cli_initialise_ex(signing_state);
+ 	if (c == NULL) {
+ 		d_printf("Connection to %s failed\n", server_n);
+ 		return NULL;
+-- 
+2.5.0
+
+
+From 060adb0abdeda51b8b622c6020b5dea0c8dde1cf Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 30 Sep 2015 21:17:02 +0200
+Subject: [PATCH 2/2] CVE-2015-5296: s3:libsmb: force signing when requiring
+ encryption in SMBC_server_internal()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+---
+ source3/libsmb/libsmb_server.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
+index 45be660..167f2c9 100644
+--- a/source3/libsmb/libsmb_server.c
++++ b/source3/libsmb/libsmb_server.c
+@@ -258,6 +258,7 @@ SMBC_server_internal(TALLOC_CTX *ctx,
+         const char *username_used;
+  	NTSTATUS status;
+ 	char *newserver, *newshare;
++	int signing_state = Undefined;
+ 
+ 	zero_sockaddr(&ss);
+ 	ZERO_STRUCT(c);
+@@ -404,8 +405,12 @@ again:
+ 
+ 	zero_sockaddr(&ss);
+ 
++	if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) {
++		signing_state = Required;
++	}
++
+ 	/* have to open a new connection */
+-	if ((c = cli_initialise()) == NULL) {
++	if ((c = cli_initialise_ex(signing_state)) == NULL) {
+ 		errno = ENOMEM;
+ 		return NULL;
+ 	}
+@@ -750,6 +755,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
+         ipc_srv = SMBC_find_server(ctx, context, server, "*IPC$",
+                                    pp_workgroup, pp_username, pp_password);
+         if (!ipc_srv) {
++		int signing_state = Undefined;
+ 
+                 /* We didn't find a cached connection.  Get the password */
+ 		if (!*pp_password || (*pp_password)[0] == '\0') {
+@@ -771,6 +777,9 @@ SMBC_attr_server(TALLOC_CTX *ctx,
+                 if (smbc_getOptionUseCCache(context)) {
+                         flags |= CLI_FULL_CONNECTION_USE_CCACHE;
+                 }
++		if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) {
++			signing_state = Required;
++		}
+ 
+                 zero_sockaddr(&ss);
+                 nt_status = cli_full_connection(&ipc_cli,
+@@ -780,7 +789,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
+ 						*pp_workgroup,
+ 						*pp_password,
+ 						flags,
+-						Undefined);
++						signing_state);
+                 if (! NT_STATUS_IS_OK(nt_status)) {
+                         DEBUG(1,("cli_full_connection failed! (%s)\n",
+                                  nt_errstr(nt_status)));
+-- 
+2.5.0
-- 
cgit v1.1